Australia’s spy agency is “going hunting” for ransomware gangs “every night”, according to Home Affairs secretary Mike Pezzullo, who has reaffirmed the government’s commitment to an offensive cyber capability.
At the same Senate Estimates hearing, it was revealed that the federal government’s new Ransomware Action Plan contains no new funding, and its mandatory notification scheme legislation won’t be seen in Parliament this year.
Addressing a Senate Estimates hearing on Monday, Mr Pezzullo said that the Australian Signals Directorate’s (ASD) offensive cyber capabilities are in use “every night”.
“We’re going hunting. We’re using offensive capabilities and once certain administrative things are in place you’ll see the APF very actively going after covert IT infrastructure,” Mr Pezzullo told the hearing.
“[ASD] Director-General Rachel Noble, under the technical assistance powers that are available to her under the ISA Act, they’re hunting. They’re hunting every night, I can assure you.”
The comments came three months after home affairs minister Karen Andrews announced that “time’s up” for ransomware gangs, with the creation of a new AFP-led taskforce to tackle the issue.
At the Estimates hearing this week, Mr Pezzullo revealed that this taskforce is yet to get off the ground due to administrative delays with the new Identify and Disrupt powers, which were passed into law in August.
But he did confirm that the ASD is already utilising its offensive cyber capabilities, which were first confirmed by former Prime Minister Malcolm Turnbull in 2016.
Australian Strategic Policy Institute International Cyber Policy Centre director Fergus Hanson said Australia’s offensive cyber capability is well known, but more is needed to combat cyber risks.
“It’s one part of the response, but in the scheme of things it’s not going to solve this problem unfortunately. The effects are only temporary so it’s not a huge deterrent. But it’s a good option to have,” Mr Hanson told InnovationAus.
Mr Pezzullo also confirmed that the federal government’s recent Ransomware Action Plan does not contain any new funding, with the cash already announced in last year’s Cyber Security Strategy.
The Coalition recently announced that it would introduce a mandatory ransomware notification reporting scheme, similar to the existing data breach notification scheme. It also plans to introduce tougher penalties for ransomware criminals.
Mr Pezzullo said the department’s policy work on this piece of legislation was expected to be completed this year, meaning it’s unlikely to hit Parliament until at least February next year.
The Opposition criticised these revelations as evidence that the government’s ransomware posturing is “all announcement, no action”.
“This looks like yet another announcement that won’t be delivered this term,” shadow assistant minister for cybersecurity Tim Watts said.
“The government has been dithering for nine months while the issue escalated into a crisis. Today, ransomware is a billion dollar a year cost to the nation which threatens jobs and investments.
“The Morrison government should stop announcing and start acting to protect Australians from the scourge of ransomware.”
Labor has introduced a bill to Parliament which would implement a mandatory ransomware notification scheme, but this is yet to be debated in the house.
Do you know more? Contact James Riley via Email.